phorphiex | b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f

General

Target

b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exe
Size

340KB
MD5

c73cff9e8afd69413185adb5b1ee319b
SHA1

fd0a136d08ede4cb79258252c423de43e1e6f961
SHA256

b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f
SHA512

cd7196797b00d58bea070260b28824b6852c9f13d9791ee84123b0606d606bc51e2c605bd9a2508ad0cdc510403c77cc3b084bf7491f97892db1e4b093674a41

Score

10^/10

phorphiex evasion loader persistence trojan worm

Malware Config

Extracted

Family

phorphiex

C2

http://193.32.161.73/

Wallets

1Bn4JYKoVgQpZ73doWVFSNZBbwKj3cpJNR

qqsagteh4m6qunmgrrknulafzcdlmzn35yeggvq8qk

Xt8ZtCcG9BFoc7NfUNBVnxcTvYT4mmzh5i

D7otx94yAiXMUuuff23v8PAYH5XpkdQ89M

0x05F916216CC4BA6ac89b8093d474E2a1e6121c63

LUMrZN6GTetcrXtzMmRayLpRN9JrCNcTe7

t1PVHo3JR9ZAxMxRXgTziGBeDwfb5Gwm64z

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

sysqfgl.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	sysqfgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	sysqfgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	sysqfgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	sysqfgl.exe

Phorphiex
Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Phorphiex payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4224-132-0x0000000002490000-0x000000000249D000-memory.dmp	family_phorphiex
behavioral2/memory/2100-141-0x00000000024A0000-0x00000000024AD000-memory.dmp	family_phorphiex

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

sysqfgl.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysqfgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysqfgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysqfgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysqfgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysqfgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysqfgl.exe

Executes dropped EXE 1 IoCs

Processes:

sysqfgl.exe

pid process

2100 sysqfgl.exe

pid	process
2100	sysqfgl.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

sysqfgl.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1"	sysqfgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysqfgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysqfgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysqfgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysqfgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysqfgl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysqfgl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Driver = "C:\\Windows\\32782278\\sysqfgl.exe"	b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Driver = "C:\\Windows\\32782278\\sysqfgl.exe"	b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exe

Drops file in Program Files directory 3 IoCs

Processes:

sysqfgl.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\7z.exe	sysqfgl.exe
File opened for modification	C:\Program Files\7-Zip\7zfm.exe	sysqfgl.exe
File opened for modification	C:\Program Files\7-Zip\7zg.exe	sysqfgl.exe

Drops file in Windows directory 3 IoCs

Processes:

b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exe

description	ioc	process
File created	C:\Windows\32782278\sysqfgl.exe	b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exe
File opened for modification	C:\Windows\32782278\sysqfgl.exe	b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exe
File opened for modification	C:\Windows\32782278	b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1196 2100 WerFault.exe sysqfgl.exe

pid	pid_target	process	target process
1196	2100	WerFault.exe	sysqfgl.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exesysqfgl.exe

pid	process
4224	b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exe
4224	b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exe
4224	b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exe
4224	b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exe
4224	b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exe
4224	b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exe
4224	b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exe
4224	b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exe
4224	b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exe
4224	b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exe
4224	b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exe
4224	b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exe
4224	b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exe
4224	b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exe
4224	b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exe
4224	b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exe
4224	b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exe
4224	b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exe
2100	sysqfgl.exe
2100	sysqfgl.exe
2100	sysqfgl.exe
2100	sysqfgl.exe
2100	sysqfgl.exe
2100	sysqfgl.exe
2100	sysqfgl.exe
2100	sysqfgl.exe
2100	sysqfgl.exe
2100	sysqfgl.exe
2100	sysqfgl.exe
2100	sysqfgl.exe
2100	sysqfgl.exe
2100	sysqfgl.exe
2100	sysqfgl.exe
2100	sysqfgl.exe
2100	sysqfgl.exe
2100	sysqfgl.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exesysqfgl.exe

description	pid	process
Token: SeDebugPrivilege	4224	b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exe
Token: SeDebugPrivilege	2100	sysqfgl.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exesysqfgl.exe

pid	process
4224	b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exe
4224	b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exe
2100	sysqfgl.exe
2100	sysqfgl.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exe

description	pid	process	target process
PID 4224 wrote to memory of 2100	4224	b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exe	sysqfgl.exe
PID 4224 wrote to memory of 2100	4224	b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exe	sysqfgl.exe
PID 4224 wrote to memory of 2100	4224	b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exe	sysqfgl.exe

C:\Users\Admin\AppData\Local\Temp\b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exe
"C:\Users\Admin\AppData\Local\Temp\b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4224
- C:\Windows\32782278\sysqfgl.exe
  C:\Windows\32782278\sysqfgl.exe
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Windows security bypass
  - Executes dropped EXE
  - Windows security modification
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2100
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 1592
    3⤵
    - Program crash
    PID:1196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2100 -ip 2100
1⤵
PID:4564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\32782278\sysqfgl.exe

Filesize
340KB

MD5
c73cff9e8afd69413185adb5b1ee319b

SHA1
fd0a136d08ede4cb79258252c423de43e1e6f961

SHA256
b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f

SHA512
cd7196797b00d58bea070260b28824b6852c9f13d9791ee84123b0606d606bc51e2c605bd9a2508ad0cdc510403c77cc3b084bf7491f97892db1e4b093674a41

Download Submit
C:\Windows\32782278\sysqfgl.exe

Filesize
340KB

MD5
c73cff9e8afd69413185adb5b1ee319b

SHA1
fd0a136d08ede4cb79258252c423de43e1e6f961

SHA256
b21161366811a20b0ea91afb9d3559828aa2e1480455ef9b42afb01d1fff104f

SHA512
cd7196797b00d58bea070260b28824b6852c9f13d9791ee84123b0606d606bc51e2c605bd9a2508ad0cdc510403c77cc3b084bf7491f97892db1e4b093674a41

Download Submit
memory/2100-137-0x0000000000000000-mapping.dmp

Download
memory/2100-140-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2100-141-0x00000000024A0000-0x00000000024AD000-memory.dmp

Filesize
52KB

Download
memory/2100-146-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4224-130-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4224-131-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4224-132-0x0000000002490000-0x000000000249D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads